<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Django 1.7.6 release notes — Django 1.8.19 documentation</title>
<link rel="stylesheet" href="../_static/default.css" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../',
VERSION: '1.8.19',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true
};
</script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="top" title="Django 1.8.19 documentation" href="../contents.html" />
<link rel="up" title="Release notes" href="index.html" />
<link rel="next" title="Django 1.7.5 release notes" href="1.7.5.html" />
<link rel="prev" title="Django 1.7.7 release notes" href="1.7.7.html" />
<script type="text/javascript" src="../templatebuiltins.js"></script>
<script type="text/javascript">
(function($) {
if (!django_template_builtins) {
// templatebuiltins.js missing, do nothing.
return;
}
$(document).ready(function() {
// Hyperlink Django template tags and filters
var base = "../ref/templates/builtins.html";
if (base == "#") {
// Special case for builtins.html itself
base = "";
}
// Tags are keywords, class '.k'
$("div.highlight\\-html\\+django span.k").each(function(i, elem) {
var tagname = $(elem).text();
if ($.inArray(tagname, django_template_builtins.ttags) != -1) {
var fragment = tagname.replace(/_/, '-');
$(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>");
}
});
// Filters are functions, class '.nf'
$("div.highlight\\-html\\+django span.nf").each(function(i, elem) {
var filtername = $(elem).text();
if ($.inArray(filtername, django_template_builtins.tfilters) != -1) {
var fragment = filtername.replace(/_/, '-');
$(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>");
}
});
});
})(jQuery);
</script>
</head>
<body role="document">
<div class="document">
<div id="custom-doc" class="yui-t6">
<div id="hd">
<h1><a href="../index.html">Django 1.8.19 documentation</a></h1>
<div id="global-nav">
<a title="Home page" href="../index.html">Home</a> |
<a title="Table of contents" href="../contents.html">Table of contents</a> |
<a title="Global index" href="../genindex.html">Index</a> |
<a title="Module index" href="../py-modindex.html">Modules</a>
</div>
<div class="nav">
« <a href="1.7.7.html" title="Django 1.7.7 release notes">previous</a>
|
<a href="index.html" title="Release notes" accesskey="U">up</a>
|
<a href="1.7.5.html" title="Django 1.7.5 release notes">next</a> »</div>
</div>
<div id="bd">
<div id="yui-main">
<div class="yui-b">
<div class="yui-g" id="releases-1.7.6">
<div class="section" id="s-django-1-7-6-release-notes">
<span id="django-1-7-6-release-notes"></span><h1>Django 1.7.6 release notes<a class="headerlink" href="#django-1-7-6-release-notes" title="Permalink to this headline">¶</a></h1>
<p><em>March 9, 2015</em></p>
<p>Django 1.7.6 fixes a security issue and several bugs in 1.7.5.</p>
<div class="section" id="s-mitigated-an-xss-attack-via-properties-in-modeladmin-readonly-fields">
<span id="mitigated-an-xss-attack-via-properties-in-modeladmin-readonly-fields"></span><h2>Mitigated an XSS attack via properties in <code class="docutils literal"><span class="pre">ModelAdmin.readonly_fields</span></code><a class="headerlink" href="#mitigated-an-xss-attack-via-properties-in-modeladmin-readonly-fields" title="Permalink to this headline">¶</a></h2>
<p>The <a class="reference internal" href="../ref/contrib/admin/index.html#django.contrib.admin.ModelAdmin.readonly_fields" title="django.contrib.admin.ModelAdmin.readonly_fields"><code class="xref py py-attr docutils literal"><span class="pre">ModelAdmin.readonly_fields</span></code></a> attribute in the Django
admin allows displaying model fields and model attributes. While the former
were correctly escaped, the latter were not. Thus untrusted content could be
injected into the admin, presenting an exploitation vector for XSS attacks.</p>
<p>In this vulnerability, every model attribute used in <code class="docutils literal"><span class="pre">readonly_fields</span></code> that
is not an actual model field (e.g. a <code class="xref py py-class docutils literal"><span class="pre">property</span></code>) will <strong>fail to be
escaped</strong> even if that attribute is not marked as safe. In this release,
autoescaping is now correctly applied.</p>
</div>
<div class="section" id="s-bugfixes">
<span id="bugfixes"></span><h2>Bugfixes<a class="headerlink" href="#bugfixes" title="Permalink to this headline">¶</a></h2>
<ul class="simple">
<li>Fixed crash when coercing <code class="docutils literal"><span class="pre">ManyRelatedManager</span></code> to a string
(<a class="reference external" href="https://code.djangoproject.com/ticket/24352">#24352</a>).</li>
<li>Fixed a bug that prevented migrations from adding a foreign key constraint
when converting an existing field to a foreign key (<a class="reference external" href="https://code.djangoproject.com/ticket/24447">#24447</a>).</li>
</ul>
</div>
</div>
</div>
</div>
</div>
<div class="yui-b" id="sidebar">
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<h3><a href="../contents.html">Table Of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">Django 1.7.6 release notes</a><ul>
<li><a class="reference internal" href="#mitigated-an-xss-attack-via-properties-in-modeladmin-readonly-fields">Mitigated an XSS attack via properties in <code class="docutils literal"><span class="pre">ModelAdmin.readonly_fields</span></code></a></li>
<li><a class="reference internal" href="#bugfixes">Bugfixes</a></li>
</ul>
</li>
</ul>
<h3>Browse</h3>
<ul>
<li>Prev: <a href="1.7.7.html">Django 1.7.7 release notes</a></li>
<li>Next: <a href="1.7.5.html">Django 1.7.5 release notes</a></li>
</ul>
<h3>You are here:</h3>
<ul>
<li>
<a href="../index.html">Django 1.8.19 documentation</a>
<ul><li><a href="index.html">Release notes</a>
<ul><li>Django 1.7.6 release notes</li></ul>
</li></ul>
</li>
</ul>
<div role="note" aria-label="source link">
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="../_sources/releases/1.7.6.txt"
rel="nofollow">Show Source</a></li>
</ul>
</div>
<div id="searchbox" style="display: none" role="search">
<h3>Quick search</h3>
<form class="search" action="../search.html" method="get">
<div><input type="text" name="q" /></div>
<div><input type="submit" value="Go" /></div>
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<h3>Last update:</h3>
<p class="topless">Mar 10, 2018</p>
</div>
</div>
<div id="ft">
<div class="nav">
« <a href="1.7.7.html" title="Django 1.7.7 release notes">previous</a>
|
<a href="index.html" title="Release notes" accesskey="U">up</a>
|
<a href="1.7.5.html" title="Django 1.7.5 release notes">next</a> »</div>
</div>
</div>
<div class="clearer"></div>
</div>
</body>
</html>
